System and method for issuing a certificate to permit access to information

ABSTRACT

A system for issuing a certificate to permit access to information, the system including: an identification service to receive dynamic biometric and contextual data regarding an individual located within an area, and to receive at least one of stored identity, biometric, and contextual data for a given individual to provide an identity estimate and a level of certainty indicator of a match based on comparison of the biometric and contextual data regarding the individual to the biometric and contextual data regarding the subscribers; a registration authority to receive the identity estimate and the level of certainty indicator, and to determine whether a certificate should be issued to an individual based on the level of certainty indicator; and a certificate authority to issue the certificate upon determining that the certificate should be issued, wherein the certificate will allow an individual to use the computing device to access an information system.

FIELD

The present disclosure relates to a system and method for issuing acertificate to permit access to information.

BACKGROUND

In existing systems, logical access to remote information systems isoften dependent upon proof of possession of the private key in anasymmetric key pair certified by a trusted third party known as acertificate authority within a Public Key Infrastructure (PKI).Distribution of these certified key pairs, or PKI credentials, forauthentication of users is traditionally performed on hardware tokenssuch as smart cards or key fobs, but can be installed locally in theclient device used to access the remote information system in order toimprove the user experience. Certifying keys on the hardware token orclient device for this purpose necessitates identity vetting by aregistration authority to ensure that the possessor of the private keyis the individual identified in the PKI credential's X.509 certificate.Some organizations use a derived credential issuance model to issue PKIcredentials, wherein proof of possession of a previously-issued hardwaretoken, through electronic authentication, can be used in place ofin-person identity vetting to authorize the enrollment of a new PKIcredential installed locally on the client device. These derivedcredential issuance models necessitate the deployment of hardware tokensprior to the issuance of derived credentials. Once in-person identityvetting has been performed for the issuance of the hardware token,further identity vetting is not required for subsequent credentials.Also, in existing systems that use biometric sampling to authorizeaccess to keys stored locally on a client device, the biometric samplesare only used to unlock access to resources stored locally on the deviceand the client device must already be in possession of certified keys inorder to authenticate to remote systems.

A paper entitled “Guidelines for Derived Personal Identity Verification(PIV) Credentials” by the National Institute of Standards andTechnology, NIST Special Publication 800-157, December 2014, byHildegard Ferraiolo et al. describes technical guidelines for theimplementation of standards-based, secure, reliable, interoperablepublic key infrastructure (PKI) based identity credentials that areissued by federal departments and agencies to individuals who possessand prove control over a valid PIV card.

A paper entitled “Biometric Specifications for Personal IdentityVerification” by the National Institute of Standards and Technology,NIST Special Publication 800-76-2, July 2013, by Patrick Grother et al.describes the Personal Identity Verification (PIV) standard for federalemployees and contractors. This paper also describes technicalacquisition and formatting specifications for a PIV system, including aPIV card.

A paper entitled “Cryptographic Message Syntax (CMS)” by R. Housley,Network Working Group, September 2009, describes the CryptographicMessage Syntax (CMS) which is used to digitally sign, digest,authenticate, or encrypt arbitrary message content.

A paper entitled “A Software Consulting Service for Network Users” byAlexander McKenzie, Network Working Group, Nov. 27, 1972, describes asoftware consulting service for network users.

A paper entitled “Enrollment over Secure Transport” by M. Pritikin etal., Internet Engineering Task Force, October 2013, describescertificate enrollment for clients using Certificate Management over CMS(CMC) messages over a secure transport.

A paper entitled “Simple Certificate Enrollment Protocol” by M. Pritikinet al., Internet Engineering Task Force, Sep. 7, 2011, describes theSimple Certificate Enrollment Protocol (SCEP), a Public KeyInfrastructure (PKI) communication protocol which leverages existingtechnology by using PKCS #7 and PKCS #10 over HTTP.

A paper entitled “Internet X.509 Public Key Infrastructure CertificateManagement Protocol (CMP)” by C. Adams et al., Network Working Group,September 2005, describes an Internet standards track protocol for theInternet community, and requests discussion and suggestions forimprovements.

A paper entitled “Certificate Management over CMS (CMC)” by J. Schaad etal., Network Working Group, June 2008, defines the base syntax for CMC,a Certificate Management protocol using the Cryptographic Message Syntax(CMS).

SUMMARY

An exemplary embodiment of the present disclosure provides a system forissuing a certificate to permit access to information, the systemincluding: a memory storing a directory that includes identity data,biometric data, and contextual data regarding subscribers; anidentification service processor module configured to receive dynamicbiometric data and dynamic contextual data regarding an individual whenthat individual is located within an area, and to receive from thememory at least one of stored identity data, biometric data andcontextual data for a given individual so as to provide an identityestimate and a level of certainty indicator of an identity match basedon a comparison of the dynamic biometric data and the dynamic contextualdata regarding the individual to the stored biometric data and thestored contextual data regarding the subscribers; a registrationauthority processor module configured to receive the identity estimateand the level of certainty indicator from the identification serviceprocessor module, and to determine whether a certificate should beissued to an individual based on the level of certainty indicator; and acertificate authority processor module configured to issue thecertificate to a computing device when it is determined that thecertificate should be issued, wherein the certificate will allow anindividual to use the computing device to access an information system.

An exemplary embodiment of the present disclosure provides a method forissuing a certificate to permit access to information, including:storing identity data, biometric data, and contextual data regardingsubscribers in a directory of a memory; receiving, in an identificationservice processor module, dynamic biometric data and dynamic contextualdata regarding an individual when that individual is located within anarea; receiving, in the identification service processor module, atleast one of stored identity data, biometric data, and contextual datafor a given individual from the memory; determining, by theidentification service processor module, an identity estimate and alevel of certainty indicator of an identity match based on a comparisonof the dynamic biometric data and the dynamic contextual data regardingthe individual to the stored biometric data and the stored contextualdata regarding the subscribers; determining that a certificate should beissued to the individual based on the level of certainty indicator; andissuing the certificate to a computing device to allow the individual touse the computing device to access an information system.

BRIEF DESCRIPTION OF THE DRAWINGS

The scope of the present disclosure is best understood from thefollowing detailed description of exemplary embodiments when read inconjunction with the accompanying drawings, wherein:

FIG. 1 is a block diagram illustrating a system hardware architecture inaccordance with an exemplary embodiment;

FIG. 2 is a block diagram illustrating a system hardware architecture inaccordance with an exemplary embodiment;

FIGS. 3A-3D are a flow chart illustrating a method according to anexemplary embodiment;

FIG. 4 is a flow chart illustrating a method according to an exemplaryembodiment; and

FIG. 5 illustrates a hardware architecture of a processor module inaccordance with an exemplary embodiment.

DETAILED DESCRIPTION

The present disclosure is directed to a system 100 for issuing acertificate (e.g., a digital certificate such as a X.509 certificate) topermit access to information. The system of the present disclosureremoves the need for hardware tokens, and instead enrolls newcredentials by validating an individual's identity through a trustedidentification service of an identification service processor module, alocation service of a location service processor module, and acombination of contextual and biometric sensors. Enrollment of thesecredentials occurs without user participation and occurs right beforethe user engages a computing device (e.g., a workstation) within an area(e.g., a campus environment). Also, the computing device does not needits own biometric or contextual sensing devices.

In a non-limiting embodiment, FIG. 1 shows a system 100 for issuing acertificate to permit access to information. The system 100 includes amemory device 104 storing a directory 106 that includes identity data108, biometric data 110, and contextual data 112 regarding subscribers(e.g., individuals, users). The memory device 104 is part of a computingdevice 102 such as a server, personal computer, laptop, tablet, etc. Thememory device 104 can be, for example, a hard disk drive, a RAM, a ROM,a solid state drive, etc. The directory 106 includes identityinformation for subscribers within an enterprise (e.g., a company,organization, team, etc.). The identity information in the directory 106can include, for example, names, passwords, phone numbers, emailaddresses, physical addresses (e.g., home address, work address, etc.),etc. for the subscribers.

The system 100 also includes an identification service processor module114 that is configured to receive dynamic biometric data and dynamiccontextual data regarding an individual 116 when that individual 116 islocated within an area 118 (e.g., room, campus environment, etc.). Thedynamic biometric data is dynamic in that the biometric data of theindividual 116 can be captured periodically, intermittently, orcontinuously, and sent to the identification service processor module114 periodically intermittently, or continuously. Similarly, the dynamiccontextual data is dynamic in that the contextual data of the individual116 can be captured periodically, intermittently, or continuously, andsent to the identification service processor module 114 periodicallyintermittently, or continuously. For example, the dynamic contextualdata can indicate the various physical locations of the individualwithin the area 118. The identification service processor module 114 isconfigured to receive (from the memory device 104 of the computingdevice 102) at least one of stored identity data 108, stored biometricdata 110 and stored contextual data 112 for a given individual 116 so asto provide an identity estimate and a level of certainty indicator of anidentity match based on a comparison of the dynamic biometric data andthe dynamic contextual data regarding the individual 116 to the storedbiometric data 110 and the stored contextual data 112 regarding thesubscribers.

The location service processor module 128 passes dynamic biometric data110 and dynamic contextual data 112 for a given individual to theidentification service processor module 114 that compiles data from theentire sensor network to estimate the identity of all individuals 116within the coverage area 118. The identification service processormodule 114 compares dynamic biometric and dynamic contextual data setsprovided by the network of sensors to the data sets recorded in thedirectory 106. The identification service processor module 114 maintainsa running numeric representation of its certainty that a monitoredindividual corresponds to a given identity stored in the directory 106.For example, the running numeric representation for certainty can berepresented as a number from 1-100, 1-50, 1-20, 1-10, or any othernumber range.

The system 100 also includes a registration authority processor module120 configured to receive the identity estimate and the level ofcertainty indicator from the identification service processor module114, and to determine whether a certificate 202 should be issued to anindividual 116 based on the level of certainty indicator. The system 100also includes a certificate authority processor module 122 configured toissue the certificate 202 to a computing device 124 when it isdetermined that the certificate 202 should be issued. The certificate202 will allow an individual 116 to use the computing device 124 toaccess an information system 126. As seen in FIG. 1, in a non-limitingembodiment, the registration authority processor module 120 and thecertificate authority processor module 122 are part of a Public KeyInfrastructure (PKI) service. A Certificate Revocation List (CRL)distribution point 134 and an Online Certificate Status Protocol (OCSP)responder 136 can also be part of the PKI service. A CRL distributionpoint is an interface representing a distribution point. The OCSPresponder 136 may return a signed response signifying that a certificatespecified in a request is “good,” “revoked,” or “unknown.”

In an exemplary embodiment, the system 100 includes one or morecomputing devices 124 a, 124 b, . . . , 124 n that are located with aparticular area 118 (e.g., room, portion of a room, building, campus,etc.). The area 118 can be a predefined area. As seen in FIG. 2, thecomputing device 124 (e.g., computing device 124 a) can include asecurity key pair 204 stored in a memory device 200 to allow anindividual 116 to access an information system 126 (e.g., an informationsystem that is remote (i.e., external) from the computing device 124)upon receipt of the certificate 202 for that individual 116. As seen inFIG. 1, examples of remote information systems 126 are mail servers 126a, VPN gateways 126 b, application servers 126 c, any other servers 126n, etc. The memory device 200 can be, for example, a hard disk drive, aRAM, a ROM, a solid state drive, etc.

The system 100 also includes a location service processor module 128configured to receive a notification indicating presence of anindividual 116 within the area 118. The location service processormodule 128 is configured to receive the dynamic biometric data and thedynamic contextual data regarding an individual 116 from at least onesensor 130, 132, and to determine when that individual 116 is within apredetermined distance 206 of the computing device 124. FIG. 2 showsthat the individual 116 is located within the predetermined distance 206of the computing device 124 a. The computing device 124 a cancommunicate with a remote information system 126 via a network. In anexemplary embodiment, the predetermined distance 206 is 1 to 2 feet. Thepredetermined distance can also be 1 to 5 feet. The predetermineddistance can be any distance at which it is appropriate to operate thecomputing device 124. In an exemplary embodiment, the location serviceprocessor module 128 and the location service processor module can bepart of the same processor device (e.g., CPU) or located in separateprocessor devices. Similarly, the registration authority processormodule 120 and the certificate authority processor module 122 can bepart of the same processor device or located in separate processordevices.

The sensor network feeds data to the location service processor module128, and the location service processor module 128 detects when anindividual 116 has entered the coverage area of the sensor network. Thelocation service processor module 128 digitally records that theindividual 116 is present in the coverage area 118, and monitors anddigitally records the movement of the individual 116 throughout the area118. In an exemplary embodiment, the location service processor module128 alerts other elements of the system when the individual 116 entersor departs areas of interest, for example within the predetermineddistance of a computing device 124. For example, the location serviceprocessor module 128 can alert the registration authority processormodule 120 and the certificate authority processor module 122 when theindividual 116 enters or departs areas of interest.

In an exemplary embodiment, the system 100 includes one or more sensorsin the sensor network (e.g., contextual sensor or sensors 132 and/orbiometric sensor or sensors 130) configured to detect presence andlocation of an individual 116. The biometric data can be one or moresets of data that represent an information system's ability to sense theindividual 116 by the one or more sensors (e.g., one or more biometricsensors 130 and/or one or more contextual sensors 132). The biometricdata sets can be, for example, facial recognition data, fingerprintdata, voice recognition data, etc. Contextual data can be one or moresets of data that represent the state of the individual 116 or theenvironment around the individual 116. The contextual data sets can be,for example, the location the individual 116 is currently at, the timethe individual 116 is there, where the individual 116 has beenpreviously, whether any other indicators show the individual 116 inanother location, what wireless devices are in the vicinity of theindividual 116, etc.

The one or more biometric sensors 130 and the one or more contextualsensors 132 form the sensor network. The sensors 130, 132 can include,for example, cameras for facial recognition, optical sensors forlocation or movement tracking, microphones for gait or voicerecognition, fingerprint readers, and radio frequency (RF) monitors.These sensors provide coverage of the entire area in which the computingdevices 124 (e.g., client devices) are intended to operate withbiometrically and contextually registered credentials. The selection ofsensor types can be tailored to the deployment, but the set of sensorsused can be able to identify an individual's position within 1-2 feet(or any other distance less than 5 feet) of a computing device 124 inorder to determine whether the individual 116 is attempting to engagethe computing device 124. In an exemplary embodiment, the contextualsensors 132 can be, for example, multiple optical sensors with machinevision and object triangulation capabilities. Other sensors with thesecapabilities can also be used. The devices shown in FIG. 1 cancommunicate with each other over a network.

In an exemplary embodiment, the location service processor module 128 isconfigured to notify the registration authority processor module 120when an individual 116 is determined to be within the predetermineddistance 206 of the computing device 124 by one or more of the sensors130, 132.

In an exemplary embodiment, the location service processor module 128 isconfigured to create a record of movement of an individual 116 about thearea 118 over time. For example, the amount of time can be from when theindividual 116 enters the area 118 to when the individual 116 leaves thearea. The record of movement of the individual 116 and other individualscan be stored in a memory device of the location service processormodule 128 or in a memory device external to the location serviceprocessor module 128.

In an exemplary embodiment, the registration authority processor module120 is configured to query the identification service processor module114 for the identity estimate of an individual 116 and the level ofcertainty indicator when the location service processor module 128 hasdetermined that individual 116 to be within the predetermined distance206 of the computing device 124.

In an exemplary embodiment, the registration authority processor module120 is configured to receive information that indicates when anindividual 116 has moved away from the computing device 124 or hasdisengaged from the computing device 124, and to use the information todecide whether to revoke the certificate 202 when the registrationauthority processor module 120 has determined that the individual 116has moved away from the computing device 124 or has disengaged from thecomputing device 124. The information that indicates when an individual116 has moved away from the computing device 124 or has disengaged fromthe computing device 124 is produced based on detections by the sensornetwork.

In an exemplary embodiment, the identification service processor module114 is configured to receive the dynamic biometric data and the dynamiccontextual data regarding an individual 116 from the location serviceprocessor module 128. The identification service processor module 114 isconfigured to receive the stored biometric data 110 and the storedcontextual data 112 regarding subscribers from the directory 106.However, the identification service processor module 114 can receive thedynamic biometric data and the dynamic contextual data regarding anindividual 116 from a device intermediate to the location serviceprocessor module 128 (i.e., indirectly from the location serviceprocessor module 128). The identification service processor module 114can receive the stored biometric data 110 and the stored contextual data112 regarding subscribers from a device intermediate to the directory106 (i.e., indirectly from the directory 106).

The computing devices 124 a, 124 b, . . . , 124 n are a fleet ofworkstations, mobile computing devices, or other client devices (e.g.,desktop computers, laptop computers, tablets, smartphones, etc.) withinthe coverage area of the sensor network of the sensors 130, 132. Thelocation of each computing device 124 is known to the location serviceprocessor module 128, either through manual configuration if it is in afixed location, or through asset tracking via the sensor network if itis a mobile device. In an exemplary embodiment, through either manualconfiguration or monitoring through the sensor network, the physicallocations of the computing devices 124 are known to the registrationauthority processor module 120 (functioning as a RegistrationAuthority). The registration authority processor module 120 monitors theindividuals 116 within the coverage area 118 relative to the computingdevices 124 using the sensor network. Each computing device 124 is inpossession of a trusted PKI credential asserting the identity of thecomputing device 124 which can be used to negotiate session keys withthe registration authority processor module 120 for an authenticated andconfidential communication tunnel. The tunnel is used to securely enrolluser certificates with the registration authority processor module 120and to attest to the location in which user keys are generated.

When an individual's 116 proximity to a computing device 124 is closeenough to suggest that the individual 116 intends to operate a computingdevice 124 (for example is located within a predetermined distance ofthe computing device 124), the location service processor module 128notifies the registration authority processor module 128 that acertificate enrollment may be required. The registration authorityprocessor module 128 queries the identification service processor module114 for the identity of the individual 116. The identification serviceprocessor module 114 returns the identity of the individual 116 alongwith a numeric representation of its certainty of the identity of theindividual 116. The registration authority processor module 128 uses thecertainty value to decide whether or not to issue a certificate to theindividual 116, and optionally, whether to include a Policy ObjectIdentifier (OID) to assert a level of confidence in the identity of theindividual 116. If the registration authority processor module 120decides to issue the certificate it can either generate the asymmetrickey pair itself and direct a certificate authority processor module 122to issue a certificate for it, or it can direct the computing device 124to generate the key pair through a standard certificate managementprotocol and return a certificate signing request to the registrationauthority processor module 120 or the certificate authority processormodule 122 to certify.

The certificate authority processor module 122 is the entity responsiblefor issuing client certificates within the PKI. Its operation is definedin a published Certificate Policy and Certificate Practice Statement.All relying parties within the PKI use the certificate authorityprocessor module's certificate to validate client certificates issuedunder it. The certificate authority processor module 122 also providesCertificate Revocation Lists (CRL) to alert relying parties ofcertificates which are no longer trustworthy. New certificates areenrolled by submitting a Certificate Signing Request, which thecertificate authority processor module 122 validates and responds with asigned certificate. Revocation of the certificate invalidates it for usewhen authenticating to remote systems 126. Alternatively, the computingdevice 124 can disable private key access until the authenticatedindividual returns to use the system 126.

In an exemplary embodiment, the identification service processor module114 is configured to periodically update the identity estimate and thelevel of certainty indicator. For example, the update can happen at afixed, predetermined time interval or can happen at varying timeintervals.

In an exemplary embodiment, the identification service processor module114 is configured to perform the comparison by using at least one of thedynamic biometric data and the dynamic contextual data as an index tothe memory 104 for an indirect comparison, and to receive the other ofthe stored biometric data 110 and the stored contextual data 112 inresponse thereto for a direct comparison to the other of the dynamicbiometric data and the dynamic contextual data. For example, theidentification service processor module 114 can send the dynamicbiometric data to the memory device 104 storing the directory 106, andthe computing device 102 compares the received dynamic biometric data tothe stored biometric data 110 entries. When there is a match of thebiometric data, the computing device sends the stored contextual data112 and the user identity 108 that corresponds to the stored biometricdata that matches the dynamic biometric data back to the identificationservice processor module 114. Once the identification service processormodule 114 has received the stored contextual data 112, it compares thestored contextual data 112 to the dynamic contextual data.

Also, the identification service processor module 114 can send thedynamic contextual data to the memory device 104 storing the directory106, and the computing device 102 compares the received dynamiccontextual data to the stored contextual data 112 entries. When there isa match of the contextual data, the computing device sends the storedbiometric data 110 and the user identity 108 that corresponds to thestored contextual data 112 that matches the dynamic contextual data backto the identification service processor module 114. Once theidentification service processor module 114 has received the storedbiometric data 110, it compares the stored biometric data 110 to thedynamic biometric data. So, one check of the data is performed by thecomputing device 102, and one check of the data is performed by theidentification service processor module 114.

In an exemplary embodiment, both checks can be performed by thecomputing device 102. For example, the identification service processormodule 114 can send the dynamic contextual data and the dynamicbiometric data to the memory device 104 storing the directory 106, andthe computing device 102 compares the received dynamic contextual datato the stored contextual data 112 entries and the computing device 102compares the received dynamic biometric data to the stored biometricdata 110 entries. When there is a match of both the contextual data andthe biometric data, the computing device sends the stored user identity108 that corresponds to the matched contextual data 112 and the matchedbiometric data 110 back to the identification service processor module114.

In an exemplary embodiment, both checks can be performed by theidentification service processor module 114. The computing device 102sends all or some of the data in the directory 106 to the identificationservice processor module 114. Once the identification service processormodule 114 has received all or some of the data in the directory 106, itcompares the dynamic biometric data and the dynamic contextual data tothe received data from the directory 106 for matches.

In an exemplary embodiment, the identification service processor module114 is configured to determine the level of certainty indicator byindividually weighting each of the dynamic biometric data and thedynamic contextual data according to a respective reliability factor. Inan exemplary embodiment, the level of certainty indicator is at leastone number. However, the level of certainty indicator can be a letter,symbol, color, picture, etc.

The sensor network is deployed throughout the area 118 and continuouslymonitors for the presence of individuals within its coverage area. Whenan individual 116 enters the area 118, the sensor network detects thepresence of the individual 116. This can be through visual detection,wherein a camera detects motion and uses computer vision to identify themoving object as a human, however audio and RF based sensors could alsoachieve this functionality. In a camera-based solution, the position ofthe individual 116 within the field of view of the camera provides thesensor 132 the angle component of a vector from the camera to theindividual 116. When multiple cameras detect the same individual 116,the angles they detect for that individual 116 can be used totriangulate the location of the individual 116, creating the locationdata (e.g., coordinates, etc.) necessary to track their movement throughthe area 118.

When a new individual 116 has been detected in the area 118, the sensornetwork alerts the location service processor module 128 which creates alogical record of the individual's 116 presence and location. Thisrecord is continually updated with new location data provided by thesensor network. Location data are the coordinates of the individual 116at a given time. The sensor network also provides biometric andcontextual data which are associated with the logical record of theindividual 116 in the location service processor module 128 and passedalong to the identification service processor module 114. As moreindividuals 116 enter the area 118, the location service processormodule 128 creates records for each new individual 116 detected by thesensor network and maintains a record of their location.

The identification service processor module 114 receives biometric andcontextual data samples associated with an individual's logical recordfrom the location service processor module 128. The identificationservice processor module 114 compares these samples to data recorded inthe directory 106 of users (e.g., could be a directory of all employeesof a corporation). These comparisons will provide a level of certaintythat a given logical record of an individual 116 from the locationservice processor module 128 has an identity in the directory 106. Forexample, this level of certainty can be represented as a number from1-100 (i.e., a running numeric), where the identification serviceprocessor module 114 will have a low level of certainty (e.g., 1-20)that an individual 116 is the incorrect identity, and a high level ofcertainty (e.g., 80-100) that an individual 116 is the correct Identity.This level of certainty increases or decreases with the analysis of newbiometric and contextual data provided by the location service processormodule 128. A simple algorithm for this aggregate certainty could beaveraging the instantaneous certainty of each individual sample. Forexample, if the identification service processor module 114 has 10samples of biometric and contextual data, 9 of them offer 90% certaintyand 1 provides 20% certainty, the aggregate level of certainty is 83%.In practice though, biometric and contextual data types should beweighted according to their reliability. With sufficient biometric andcontextual sensors 130, 132 deployed within the area 118, theidentification service processor module 114 should receive enough datasamples for a new individual entering the area 118 to isolate a singleidentity in the directory 106 with a high level of certainty prior tothe individual reaching a computing device 124.

The location service processor module 128 has the coordinates of allcomputing devices 124 within the area 118. When the location serviceprocessor module 128 detects that an individual has moved within acritical distance of a computing device 124, typically 1-2 feet, italerts the registration authority processor module 120 that acertificate enrollment may need to occur on that computing device 124.The registration authority processor module 120 queries theidentification service processor module 114 for the identity estimate ofthe individual 116 at that location. The identification serviceprocessor module 114 returns a list of one or more identity estimateswith their associated levels of certainty. The registration authorityprocessor module 120 is responsible for determining whether acertificate should be issued based on this information. The registrationauthority processor module 120 does this by determining whether thelevel of certainty of the most likely estimate (i.e., the one with thehighest level of certainty) is greater than a predefined level (e.g.,greater than 80), and whether the most likely estimate is greater thanthe second most likely estimate by at least a predefined quantity (e.g.,the most likely estimate must be 50 points more likely than the secondmost likely). If the most likely identity estimate meets these criteria,the registration authority processor module 120 initiates thecertificate issuance procedure. If not, the registration authorityprocessor module 120 can optionally initiate an alternative orsupplementary identity vetting procedure, such as directing theindividual 116 to submit an additional biometric sample (e.g., afingerprint) or electronically authenticate with a hardware token,directly on the computing device 124 to further improve the identityestimate. If the additional identity information is sufficient to raisethe identity estimate to meet the criteria, the registration authorityprocessor module 120 can initiate the certificate issuance procedure.

Issuance of new certificates can occur through several differentprotocols, e.g., standards-based protocols such as CertificateManagement Protocol (CMP) or Enrollment over Secure Transport (EST)which are preferred for interoperability considerations. Using theseprotocols, the certificate authority processor module 122 can enroll anew certificate through either a centralized key generation model or adistributed key generation model. In a centralized model, thecertificate authority processor module 122 generates the key pair forthe credential locally, issues a certificate for it, and sends thecertificate and private key (both encrypted) to the computing device124. In a distributed model, the certificate authority processor module122 directs the computing device 124 to generate the key pair and returna certificate signing request which the certificate authority processormodule 122 uses to generate a certificate to return to the computingdevice 124.

Once the computing device 124 has received the certificate asserting theidentity of the individual 116 from the certificate authority processormodule 122, the individual 116 is able to use the credential on thecomputing device 124 to authenticate to local and remote informationsystems that trust the certificate authority processor module 122. In anexemplary embodiment, hardware tokens or passwords can be layered on topof biometric and contextual data as an added data set.

FIGS. 3A-3D are a detailed flow chart of the steps performed by thecomponents of the system 100, the broader flow diagram of FIG. 4 will bediscussed first. FIG. 4 illustrates an exemplary method for issuing acertificate 202 to permit access to information. The method includesstoring identity data 108, biometric data 110, and contextual data 112regarding subscribers in a directory 106 of a memory 104 (step S400).The method includes receiving, in an identification service processormodule 114, dynamic biometric data and dynamic contextual data regardingan individual 116 when that individual is located within an area 118(step S402). The method includes receiving, in the identificationservice processor module 114, at least one of stored identity data 108,biometric data 110, and contextual data 112 for a given individual fromthe memory 104 (step S404). The method also includes determining, by theidentification service processor module 114, an identity estimate and alevel of certainty indicator of an identity match based on a comparisonof the dynamic biometric data and the dynamic contextual data regardingthe individual to the stored biometric data 110 and the storedcontextual data 112 regarding the subscribers (step S406). The methodalso includes determining that a certificate 202 should be issued to theindividual 116 based on the level of certainty indicator (step S408).The method further includes issuing the certificate 202 to a computingdevice 124 to allow the individual to use the computing device 124 toaccess an information system 126 (step S410).

In an exemplary embodiment, the method can include storing a securitykey pair 204 in a memory 200 of the computing device 124; and using thecertificate 202 and the security key pair 204 to access the informationsystem 126.

In an exemplary embodiment, the method can include receiving, in alocation service processor module 128, a notification indicatingpresence of the individual 116 within the area 118. It also can includereceiving, in the location service processor module 128, the dynamicbiometric data and the dynamic contextual data regarding the individual116 from at least one sensor 130, 132; and determining, by the locationservice processor module 128, that the individual 116 is within apredetermined distance 206 of the computing device 124.

In an exemplary embodiment, the method can include sending, by thelocation service processor module 128, a notification to a registrationauthority processor module 120 after the individual 116 is determined tobe within the predetermined distance 206 of the computing device 124.

In an exemplary embodiment, the method can include creating, by thelocation service processor module 128, a record of movement of theindividual 116 about the area 118 over time.

In an exemplary embodiment, the method can include querying, by aregistration authority processor module 120, the identification serviceprocessor module 114 for the identity estimate of the individual 116 andthe level of certainty indicator when the location service processormodule 128 has determined that the individual 116 is within thepredetermined distance 206 of the computing device 124.

In an exemplary embodiment, the method can include receiving, in aregistration authority processor module 120, information that indicatesthat the individual 116 has moved away from the computing device 124 orhas disengaged from the computing device 124. It can also includedeciding, by the registration authority processor module 120, whether torevoke the certificate 202 when the registration authority processormodule 120 has determined from the information that the individual 116has moved away from the computing device 124 or has disengaged from thecomputing device 124.

In an exemplary embodiment, the method can include detecting, with oneor more sensors 130, 132, presence and location of the individual 116.The dynamic biometric data and the dynamic contextual data regarding theindividual that is received by the identification service processormodule 114 can be sent by the location service processor module 128.

In an exemplary embodiment, the method can include periodicallyupdating, by the identification service processor module 114, theidentity estimate and the level of certainty indicator. The comparing bythe identification service processor module 114 includes using at leastone of the dynamic biometric data and the dynamic contextual data as anindex to the memory 104 for an indirect comparison. The method can alsoinclude receiving the other of the stored biometric data 110 and thestored contextual data 112 in response thereto for a direct comparisonto the other of the dynamic biometric data and the dynamic contextualdata. The determining of the level of certainty indicator by theidentification service processor module 114 is performed by individuallyweighting each of the dynamic biometric data and the dynamic contextualdata according to a respective reliability factor. The level ofcertainty indicator can be at least one number.

FIGS. 3A-3D are a flow chart illustrating a method according to anexemplary embodiment. In FIG. 3A, in step S300, one or more sensors 130,132 scan for presence of individuals 116 within an area 118. In stepS302, the location service processor module 128 evaluates contextual andbiometric measurements from the biometric sensors 130 and the contextualsensors 132 to determine whether they indicate the presence of anindividual 116 within the area 118. In step S304, if the locationservice processor module 128 detects an individual 116, it triangulatesits location with the area 118.

In step S306, the location service processor module 128 checks itsdatabase of individuals currently located within the area 118 todetermine whether the detected location is within a critical distance ofthe location of an individual 116 it has already detected. If thelocation service processor module 128 finds no previous record of anindividual at this location in its database, the location serviceprocessor module 128 creates a new record of the movements of thisindividual (step S308). If the location service processor module 128determines that an individual is already being tracked at this location,the location service processor module 128 assumes it is the sameindividual and provides contextual and biometric data for thisindividual to the identification service processor module 114 forevaluation (step S310).

After step S310, the method continues to step S316 in FIG. 3C, which isperformed by the identification service processor module 114 or to stepS312 in FIG. 3A. In step S316, the identification service processormodule 114 evaluates the new contextual and biometric data againstsamples in the directory 106 to determine whether they match registeredsubscribers. In step S318, the identification service processor module114 identifies all subscribers in the directory 106 for which thesamples match above a critical level of certainty. Next, in step S320,if the identification service processor module 114 does not match thecollected data to any subscribers in the directory 106, the individual116 is presumed to be a guest. If there is a running estimate of theidentity from previously collected samples, the estimate is decrementedusing a weighted average. After step S318, in step S322, if theidentification service processor module 114 matches the collected datato a single subscriber, it updates the running estimate of the identityof the subscriber using a weighted average. After step S318, in stepS324, if the identification service processor module 114 matches thecollected data to multiple users, it updates each of the runningestimates of the identity of the subscriber using a weighted average.

In FIG. 3A, in step S312, the location service processor module 128updates the current location of the individual 116 in its database witha timestamp of the observation. In step S314, the location serviceprocessor module 128 compares the individual's current location to itsdatabase of computing device locations. If the individual 116 is withina predetermined distance to a computing device 124, it alerts theregistration authority processor module 120 that issuance of acertificate may be required. Next, in step S326 of FIG. 3B, theregistration authority processor module 120 queries the identificationservice processor module 114 for all running estimates of theindividual's identity. Next, the flow chart proceeds to FIG. 3C to stepS328, S330, or S332.

In step S328, if the identification service processor module 114 reportsback that there is no running estimate for this individual 116, or thatthe running estimate(s) has dropped below the critical level ofcertainty, the registration authority processor module 120 does notissue a certificate, and diverts the individual 116 to an alternativeregistration process (e.g., requiring a password, smart card, etc.) Instep S332, if the identification service processor module 114 reportsback that there are multiple running estimates for this individual 116above the critical level of certainty, the registration authorityprocessor module 120 does not issue a certificate, and diverts theindividual 116 to an alternate registration process (e.g., requiring apassword, smart card, etc.). In step S330, if the identification serviceprocessor module 114 reports back to a single running estimate that isabove the critical level of certainty, the registration authorityprocessor module 120 initiates issuance of the certificate.

After step S330, the process proceeds to step S334 of FIG. 3B. In stepS334, the registration authority processor module 120 retrieves from thedirectory 106 any necessary data to issue a new certificate for theidentified subscriber (e.g., subject distinguished name or subjectalternative names). Next, in step S336, the registration authorityprocessor module 120 sends additional certificate enrollment instructionto the computing device 124. After step, S336, the process proceeds tostep S338 of FIG. 3D.

In step S338, the computing device 124 executes the certificateenrollment instructions and requests a new certificate from thecertificate authority processor module 122. Next, in step S340, thecertificate authority processor module 122 validates the certificaterequest and issues a certificate to the individual 116. The certificateauthority processor module 122 sends the certificate to the computingdevice 124. Next, in step S342, the computing device 124 accepts thecertificate and makes it available to the user (i.e. the individual 116)to authenticate to relying parties of the PKI.

FIG. 5 is a block diagram illustrating an architecture in accordancewith an exemplary embodiment that can be used as a processor modulearchitecture 500, i.e. for the identification service processor module114, location service processor module 128, registration authorityprocessor module 120, and certificate authority processor module 122 inFIG. 1. A similar computing device architecture could be used for thecomputing device 102 and computing devices 124 a, 124 b, . . . 124 n. Aperson having ordinary skill in the art may appreciate that embodimentsof the disclosed subject matter can be practiced with various computersystem configurations, including multi-core multiprocessor systems,minicomputers, mainframe computers, computers linked or clustered withdistributed functions, as well as pervasive or miniature computers thatmay be embedded into virtually any device. For instance, at least oneprocessor device and a memory may be used to implement the abovedescribed embodiments.

A hardware processor device as discussed herein may be a single hardwareprocessor, a plurality of hardware processors, or combinations thereof.Hardware processor devices may have one or more processor “cores.” Theterm “non-transitory computer readable medium” as discussed herein isused to generally refer to tangible media such as a memory device 502.

Various embodiments of the present disclosure are described in terms ofthis exemplary computing device 500. After reading this description, itwill become apparent to a person skilled in the relevant art how toimplement the present disclosure using other computer systems and/orcomputer architectures. Although operations may be described as asequential process, some of the operations may in fact be performed inparallel, concurrently, and/or in a distributed environment, and withprogram code stored locally or remotely for access by single ormulti-processor machines. In addition, in some embodiments the order ofoperations may be rearranged without departing from the spirit of thedisclosed subject matter.

Hardware processor 514 may be a special purpose or a general purposeprocessor device. The hardware processor device 514 may be connected toa communications infrastructure 508, such as a bus, message queue,network, multi-core message-passing scheme, etc. The network shown inFIGS. 1 and 2 may be any network suitable for performing the functionsas disclosed herein and may include a local area network (LAN), a widearea network (WAN), a wireless network (e.g., Wi-Fi), a mobilecommunication network, a satellite network, the Internet, fiber optic,coaxial cable, infrared, radio frequency (RF), or any combinationthereof. Other suitable network types and configurations will beapparent to persons having skill in the relevant art. The computingdevice 500 may also include a memory 502 (e.g., random access memory,read-only memory, etc.), and may also include one or more additionalmemories. The memory 502 and the one or more additional memories may beread from and/or written to in a well-known manner. In an embodiment,the memory 502 and the one or more additional memories may benon-transitory computer readable recording media.

Data stored in the computing device 500 (e.g., in the memory 502) may bestored on any type of suitable computer readable media, such as opticalstorage (e.g., a compact disc, digital versatile disc, Blu-ray disc,etc.), magnetic tape storage (e.g., a hard disk drive), or solid-statedrive. An operating system can be stored in the memory 502.

In an exemplary embodiment, the data may be configured in any type ofsuitable database configuration, such as a relational database, astructured query language (SQL) database, a distributed database, anobject database, etc. Suitable configurations and storage types will beapparent to persons having skill in the relevant art.

The computing device 500 may also include a communications interface510. The communications interface 510 may be configured to allowsoftware and data to be transferred between the computing device 500 andexternal devices. Exemplary communications interfaces 510 may include amodem, a network interface (e.g., an Ethernet card), a communicationsport, a PCMCIA slot and card, etc. Software and data transferred via thecommunications interface 510 may be in the form of signals, which may beelectronic, electromagnetic, optical, or other signals as will beapparent to persons having skill in the relevant art. The signals maytravel via a communications path 512, which may be configured to carrythe signals and may be implemented using wire, cable, fiber optics, aphone line, a cellular phone link, a radio frequency link, etc.

Memory semiconductors (e.g., DRAMs, etc.) may be means for providingsoftware to the computing device 500. Computer programs (e.g., computercontrol logic) may be stored in the memory 502. Computer programs mayalso be received via the communications interface 510. Such computerprograms, when executed, may enable computing device 500 to implementthe present methods as discussed herein. In particular, the computerprograms stored on a non-transitory computer-readable medium, whenexecuted, may enable hardware processor device 502 to implement themethods illustrated by FIGS. 3A, 3B, 3C, 3D, and 4, or similar methods,as discussed herein. Accordingly, such computer programs may representcontrollers of the computing device 500. Where the present disclosure isimplemented using software, the software may be stored in a computerprogram product or non-transitory computer readable medium and loadedinto the computing device 500 using a removable storage drive orcommunications interface 510.

The computing device 500 may also include a display interface 506 thatoutputs display signals to a display unit 504, e.g., LCD screen, plasmascreen, LED screen, DLP screen, CRT screen, etc.

Where the present disclosure is implemented using software, the softwaremay be stored in a computer program product or non-transitory computerreadable medium and loaded into one or more of the identificationservice processor module 114, the location service processor module 128,the registration authority processor module 120, and the certificateauthority processor module 122 using a removable storage drive or acommunications interface.

Thus, it will be appreciated by those skilled in the art that thepresent invention can be embodied in other specific forms withoutdeparting from the spirit or essential characteristics thereof. Thepresently disclosed embodiments are therefore considered in all respectsto be illustrative and not restricted. The scope of the invention isindicated by the appended claims rather than the foregoing descriptionand all changes that come within the meaning and range and equivalencethereof are intended to be embraced therein.

1. A system for issuing a certificate to permit access to information,the system comprising: a memory storing a directory that includesidentity data, biometric data, and contextual data regardingsubscribers; an identification service processor module configured toreceive dynamic biometric data and dynamic contextual data regarding anindividual when that individual is located within an area, and toreceive from the memory at least one of stored identity data, biometricdata, or contextual data for a given individual so as to provide anidentity estimate and a level of certainty indicator of an identitymatch based on a comparison of the dynamic biometric data and thedynamic contextual data regarding the individual to the stored biometricdata and the stored contextual data regarding the subscribers, whereinthe level of certainty indicator is determined by weighting the dynamiccontextual data according to a related reliability factor; aregistration authority processor module configured to receive theidentity estimate and the level of certainty indicator from theidentification service processor module, and to determine that acertificate should be issued to an individual when a level of certaintyindicator of a first identity estimate is greater than a predefinedlevel, and the first identity estimate is greater than a second identityestimate by a specific value; and a certificate authority processormodule configured to issue the certificate to a computing device when itis determined that the certificate should be issued, wherein thecertificate will allow an individual to use the computing device toaccess an information system, wherein the identification serviceprocessor module is arranged to be external to the computing device. 2.The system of claim 1, in combination with a computing device, whereinthe computing device comprises: a security key pair stored in a memoryto allow an individual to access an information system upon receipt ofthe certificate for that individual.
 3. The system of claim 1,comprising: a location service processor module configured to receive anotification indicating presence of an individual within the area, thelocation service processor module being configured to receive thedynamic biometric data and the dynamic contextual data regarding anindividual from at least one sensor, and to determine when thatindividual is within a predetermined distance of the computing device.4. The system of claim 3, wherein the location service processor moduleis configured to notify the registration authority processor module whenan individual is determined to be within the predetermined distance ofthe computing device.
 5. The system of claim 3, wherein the locationservice processor module is configured to create a record of movement ofan individual about the area over time.
 6. The system of claim 3,wherein the registration authority processor module is configured toquery the identification service processor module for the identityestimate of an individual and the level of certainty indicator when thelocation service processor module has determined that individual to bewithin the predetermined distance of the computing device.
 7. The systemof claim 1, wherein the registration authority processor module isconfigured to receive information that indicates when an individual hasmoved away from the computing device or has disengaged from thecomputing device, and to use the information to decide whether to revokethe certificate when the registration authority processor module hasdetermined that individual to have moved away from the computing deviceor to have disengaged from the computing device.
 8. The system of claim1, comprising: one or more sensors configured to detect presence andlocation of an individual.
 9. The system of claim 3, wherein theidentification service processor module is configured to receive thedynamic biometric data and the dynamic contextual data regarding anindividual from the location service processor module, and theidentification service processor module is configured to receive thestored biometric data and the stored contextual data regardingsubscribers from the directory.
 10. The system of claim 1, wherein theidentification service processor module is configured to periodicallyupdate the identity estimate and the level of certainty indicator. 11.The system of claim 1, wherein the identification service processormodule is configured to perform the comparison by using at least one ofthe dynamic biometric data, or the dynamic contextual data as an indexto the memory for an indirect comparison, and to receive the other ofthe stored biometric data and the stored contextual data in responsethereto for a direct comparison to the other of the dynamic biometricdata and the dynamic contextual data.
 12. The system of claim 1, whereinthe identification service processor module is configured to determinethe level of certainty indicator by weighting the dynamic biometric dataaccording to a related reliability factor.
 13. The system of claim 1,wherein the level of certainty indicator is at least one number.
 14. Thesystem of claim 3, wherein the predetermined distance is 1 to 2 feet.15. A method for issuing a certificate to permit access to information,comprising: storing identity data, biometric data, and contextual dataregarding subscribers in a directory of a memory; receiving, in anidentification service processor module, dynamic biometric data anddynamic contextual data regarding an individual when that individual islocated within an area; receiving, in the identification serviceprocessor module, at least one of stored identity data, biometric data,or contextual data for a given individual from the memory; determining,by the identification service processor module, an identity estimate anda level of certainty indicator of an identity match based on acomparison of the dynamic biometric data and the dynamic contextual dataregarding the individual to the stored biometric data and the storedcontextual data regarding the subscribers, wherein the determining ofthe level of certainty indicator includes weighting the dynamiccontextual data according to a related reliability factor; determiningthat a certificate should be issued to the individual when a level ofcertainty indicator of a first identity estimate is greater than apredefined level, and the first identity estimate is greater than asecond identity estimate by a specific value; and issuing thecertificate to a computing device to allow the individual to use thecomputing device to access an information system, wherein theidentification service processor module is arranged to be external tothe computing device.
 16. The method of claim 15, comprising: storing asecurity key pair in a memory of the computing device; and using thecertificate and the security key pair to access the information system.17. The method of claim 15, comprising: receiving, in a location serviceprocessor module, a notification indicating presence of the individualwithin the area; receiving, in the location service processor module,the dynamic biometric data and the dynamic contextual data regarding theindividual from at least one sensor; and determining, by the locationservice processor module, that the individual is within a predetermineddistance of the computing device.
 18. The method of claim 17,comprising: sending, by the location service processor module, anotification to a registration authority processor module after theindividual is determined to be within the predetermined distance of thecomputing device.
 19. The method of claim 17, comprising: creating, bythe location service processor module, a record of movement of theindividual about the area over time.
 20. The method of claim 17,comprising: querying, by a registration authority processor module, theidentification service processor module for the identity estimate of theindividual and the level of certainty indicator when the locationservice processor module has determined that the individual is withinthe predetermined distance of the computing device.
 21. The method ofclaim 15, comprising: receiving, in a registration authority processormodule, information that indicates that the individual has moved awayfrom the computing device or has disengaged from the computing device;and deciding, by the registration authority processor module, whether torevoke the certificate when the registration authority processor modulehas determined from the information that the individual has moved awayfrom the computing device or has disengaged from the computing device.22. The method of claim 15, comprising: detecting, with one or moresensors, presence and location of the individual.
 23. The method ofclaim 17, wherein the dynamic biometric data and the dynamic contextualdata regarding the individual that is received by the identificationservice processor module is sent by the location service processormodule.
 24. The method of claim 15, comprising: periodically updating,by the identification service processor module, the identity estimateand the level of certainty indicator.
 25. The method of claim 15,wherein the comparing by the identification service processor moduleincludes using at least one of the dynamic biometric data, or thedynamic contextual data as an index to the memory for an indirectcomparison, and receiving the other of the stored biometric data and thestored contextual data in response thereto for a direct comparison tothe other of the dynamic biometric data and the dynamic contextual data.26. The method of claim 15, wherein the determining of the level ofcertainty indicator by the identification service processor module isperformed by weighting the dynamic biometric data according to a relatedreliability factor.
 27. The method of claim 15, wherein the level ofcertainty indicator is at least one number.
 28. The method of claim 17,wherein the predetermined distance is 1 to 2 feet.
 29. The system ofclaim 1, wherein the first identity estimate is identified to be one ofthe identity estimate with a highest level of certainty indicator, andthe second identity estimate is identified to be one of the identityestimate with a second highest level of certainty indicator.
 30. Themethod of claim 15, comprising: identifying that the first identityestimate is one of the identity estimate with a highest level ofcertainty indicator; and identifying that the second identity estimateis one of the identity estimate with a second highest level of certaintyindicator.
 31. The system of claim 5, wherein the record of movement ofthe individual includes information regarding one or more guests thataccompany the individual in the area.
 32. The method of claim 19,comprising: augmenting the record of movement of the individual withinformation regarding one or more guests that accompany the individualin the area.